Security UPDATE--Checking Up on Products--June 9, 2004

To make sure that your copy of Security UPDATE isn't mistakenly blocked by antispam software, add [email protected] to your list of allowed senders and contacts.

==== This Issue Sponsored By ====

OpenNetwork

http://www.opennetwork.com/?goto=WinNetSecurity

Windows & .NET Magazine

http://www.winnetmag.com/rd.cfm?code=fsep204xup

1. In Focus: Checking Up on Products

2. Security News and Features

- Recent Security Vulnerabilities

- News: SP2 for Web Developers

- Book Review: Hardening Windows

- Feature: Performing Forensic Analyses, Part 1

3. Security Toolkit

- FAQ

- Featured Thread

4. New and Improved

- Secure Your Property with Network Camera Surveillance

==== Sponsor: OpenNetwork ====

Concerned about meeting auditing and compliance requirements for controlling access to sensitive information? Quickly enable and disable employee access to corporate applications and resources with an effective Identity Management strategy. Read OpenNetwork's free whitepaper, Understanding the Identity Management Roadmap, at

http://www.opennetwork.com/?goto=WinNetSecurity

==== 1. In Focus: Checking Up on Products ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

When you configure your software and hardware to operate in a specific manner, how do you know they really perform as configured? Do you trust that the vendors have developed their products to operate properly? Of course you don't. Right? We all know that vendors, like everybody else, make mistakes.

A case in point appeared on the Bugtraq mailing list last week. A researcher discovered that some Linksys WRT54G wireless routers under some circumstances might expose the administration interface to the WAN interface (typically connected to the Internet), even if the routers are configured to disable remote administration.

So if you turned off remote administration and put the router on an Internet link, assuming the administration interface was disabled, a hacker could use the admin interface to break in. However, if you took a few minutes to probe the router from the WAN side, you might discover that the admin interface still answers even though it's supposedly disabled.

Linksys, a division of Cisco Systems, released a new beta version of the WRT54G firmware to correct the problem, so if you use the device, you might consider loading the beta firmware. You might also consider placing your wireless routers behind a firewall, even if your routers have a built-in firewall, to help minimize unwanted system exposure and unwanted access.

http://www.linksys.com/download/firmware.asp?fwid=201

A case in point for that suggestion pertains to another wireless router, the NETGEAR WG602, also mentioned on Bugtraq last week. Apparently, for some unknown reason, NETGEAR has integrated an undocumented administrator account into its router's firmware. The account can't be disabled, is accessible from the LAN and WAN sides of the router, and has a plaintext logon name and password that researchers have of course discovered. Anybody who uses the router is vulnerable to attack. If you have the router behind some other firewall that blocks access to its administration interface, then at least you're protected against attacks from the outside, but unauthorized users inside the local network could still log on to the router.

The Linksys router vulnerability apparently stemmed from a programming error and has been fixed. But I have no idea why NETGEAR would implement an undocumented administrator account. Maybe it was inadvertently left in place. Clearly, you shouldn't blindly trust products--you need to consider checking them to make sure they perform as expected.

==== Sponsor: Windows & .NET Magazine ====

Get 2 Sample Issues of Windows & .NET Magazine!

Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange, scripting, and much more. Our expert authors deliver how-to articles and product evaluations that will help you do your job better. Try two, no-risk sample issues today, and find out why 100,000 IT professionals rely on Windows & .NET Magazine each month!

http://www.winnetmag.com/rd.cfm?code=fsep204xup

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.winnetmag.com/departments/departmentid/752/752.html

News: SP2 for Web Developers

Microsoft has published a document on the Microsoft Developer Network (MSDN) titled "How to Make Your Web Site Work with Windows XP Service Pack 2." The article covers design changes you might need to consider regarding ActiveX controls, file download mechanisms, pop-up windows, Java, HTML dialog boxes, and window-positioning restrictions.

http://www.winnetmag.com/article/articleid/42843/42843.html

Book Review: Hardening Windows

For professionals who are heavily involved with Windows, a book titled "Hardening Windows" just cries out to be read. The author of "Hardening Windows" is Jonathan Hassell, a systems administrator and IT consultant who defines the term "hardening" as "the process of protecting a system against unknown threats." He points out that the four cornerstones of any such policy are privacy, trust, authenticity, and integrity. Privacy is the capability that a company or organization possesses to keep information confidential, and trust questions the validity of data and objects by not simply accepting things at face value. Authenticity involves ensuring that people really are who they say they are, and integrity ensures that systems aren't compromised in any way. You can read the entire book review on our Web site.

http://www.winnetmag.com/article/articleid/42751/42751.html

Feature: Performing Forensic Analyses, Part 1

In the "Security Administrator" articles "Building and Using an Incident Response Toolkit, Part 1" (April 2004, InstantDoc ID 41900) and "Building and Using an Incident Response Toolkit, Part 2" (May 2004, InstantDoc ID 42173), Matt Lesko discusses how to quickly and appropriately respond to a computer security incident. In the follow-up article "Performing Forensic Analyses, Part 1," he prepares to analyze the compromised machine by creating a bootable CD-ROM and duplicating the compromised machine's hard disk.

http://www.winnetmag.com/article/articleid/42445/42445.html

==== Announcements ====

(from Windows & .NET Magazine and its partners)

Get 5 Years Worth of SQL Server Tools, Tips, & Content

Introducing version 8 of the SQL Server Magazine Master CD. Subscribe today and get portable, high-speed access to all articles, code, tips, tricks, and expertise published in SQL Server Magazine and T-SQL Solutions. Let this helpful resource save you some time anywhere you are. Subscribe now and get 25% off!

https://secure.pentontech.com/nt/sql/index.cfm?promocode=cbep2146cs

Does Your Company Currently Use Microsoft Windows NT Server?

If your answer is "yes," Windows & .NET Magazine wants your opinion! Take a short survey and register to win an Xbox. Click the link below to help us understand why more than 3 million servers currently run Windows NT Server. Give your opinion about consolidating file print servers and upgrading to Windows 2003.

http://websurveyor.net/wsb.dll/12237/ntserver.htm

The Conference on Securing and Auditing Windows Technologies, July 20-21

New for 2004, The Conference on Securing and Auditing Windows Technologies will be held July 20-21, 2004, at the Fairmont Copley Plaza in Boston, MA. In vendor-neutral sessions on today's hottest topics, you'll get practical strategies for mitigating risk and safeguarding your systems. For more information, call 508-879-7999 or go to:

http://www.misti.com/04/wsa04el05inf.html

==== Hot Release ====

CipherTrust

Spammers are attacking the security and integrity of corporations.

In this white paper, you'll learn to defend your organization against these threats. Topics include:

* The security threat presented by spam

* Spammer methods and techniques

* The impact, including liability and damage to your reputation

http://www.ciphertrust.com/files/forms/article/em-winwp-ad22-p1-ssec-04012004.php

==== 4. Security Toolkit ====

FAQ: How can I recover Microsoft Office Outlook Messages that have been removed by a hard delete?

by John Savill, http://www.winnetmag.com/windowsnt20002003faq

A. Usually when you delete a message, Exchange Server moves it to the Deleted Items folder, which you can empty by right-clicking Deleted Items and selecting Empty "Deleted Items" Folder from the displayed context menu. Alternatively, you can configure Outlook to empty the Deleted Items folder each time you close Outlook. To do so, select Tools, Options and click the Other tab. In the General section, select the "Empty the Deleted Items folder upon exiting" check box.

After Exchange removes items from the Deleted Items folder, it keeps them for 7 days. During this time, you can recover deleted messages from the Deleted Items folder by selecting Tools, Recover Deleted Items.

You can perform a hard delete of a message by highlighting the message and pressing Shift+Del. Performing a hard delete removes the message without moving it to the Deleted Items folder. When you attempt to recover hard-deleted items, you'll see that they aren't listed in the recovery dialog box. If you select the folder from which you performed the hard delete (e.g., Inbox), you'll see that the option to recover deleted items is unavailable from the Tools menu.

If you want to be able to recover items that have been deleted from an Outlook folder--including hard-deleted items--you need to perform the following steps or add the dumpster.reg entry to the registry. You can download the dumpster.reg entry at the URL below.

1. Start the registry editor (regedit.exe).

2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Options subkey.

3. From the Edit menu, select New and click DWORD Value.

4. Enter the name DumpsterAlwaysOn and press Enter.

5. Double-click the new value and set it to 1. Click OK.

6. Close the registry editor.

When you restart Outlook, the option to recover messages should be available for all folders.

http://www.winnetmag.com/articles/download/dumpster_reg.zip

Featured Thread: Directory ACL Report Generator

(Two messages in this thread)

Chris writes that he's looking for a tool that will generate a report of the directory structure and the assigned ACLs on his file servers. He has tried some of the tools from the Windows 2000 Resource Kit, such as showacls and showmbrs, but they don't seem to work on large directory structures like his. Lend a hand or read the responses:

http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=121489

==== Events Central ====

(A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )

The Exchange Server Seminar Series Coming to Your City in June

Join industry experts Kieran McCorry, Donald Livengood, and Kevin Laahs for this free event! Learn the benefits of migrating to an integrated communications environment, consolidating and simplifying implementation of technology, and accelerating worker productivity. Register now and enter to win an HP iPAQ and $500 cash!

http://www.winnetmag.com/roadshows/exchange2003

==== 5. New and Improved ====

by Jason Bovberg, [email protected]

Secure Your Property with Network Camera Surveillance

RFC Services released Visual Hindsight Professional Edition 1.01, software that supports network cameras and video servers capable of working with industry-standard JPEG still images or motion-JPEG image streams. Version 1.01 permits real-time viewing of as many as 100 cameras and video servers, while simultaneously recording as many as 50 live video streams to disk as compressed AVI files. Visual Hindsight, which costs $149, works with Windows XP, Windows 2000, and Windows NT. You can download a trial version from the Visual Hindsight Web site.

http://www.visualhindsight.com/download.htm

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

==== Sponsored Links ====

Argent

Comparison Paper: The Argent Guardian Easily Beats Out MOM

http://ad.doubleclick.net/clk;6480843;8214395;q?http://www.argent.com/products/download_whitepaper.cgi?product=mom&&Source=WNTTextLink

Microsoft(R) TechNet

Microsoft(R) TechNet Webcasts: essential guidance, industry experts

http://ad.doubleclick.net/clk;7759917;8214395;c?http://www.microsoft.com/technet/community/webcasts/default.mspx

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.winnetmag.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

==== Contact Our Sponsors ====

Primary Sponsor:

OpenNetwork -- http://www.opennetwork.com -- 1-877-561-9500

Hot Release Sponsor:

CipherTrust -- http://www.ciphertrust.com -- 1-877-448-8625